Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Q & A

 

Q&A: How certifying in-house IT staffers as cyber analysts, pen testers can boost SMB security

By Byron V. Acohido

A security-first mindset is beginning to seep into the ground floor of the IT departments of small and mid-sized companies across the land.

Senior executives at these SMBs are finally acknowledging that a check-box approach to security isn’t enough, and that instilling a security mindset pervasively throughout their IT departments has become the ground stakes.

Related: The ‘gamification’ of cybersecurity  training

Ransomware, business email compromises and direct ACH system hacks continue to morph and intensify. The exposure faced by SMBs is profound. Cyber intruders skilled at taking the quickest route to digitally exfiltrating the largest amount of cash prey on the weak. No small organization can afford to be lackadaisical.

More and more SMBs have begun dispatching their line IT staff to undergo training and get tested in order to earn basic cybersecurity certifications issued by the Computing Technology Industry Association, aka CompTIA, the non-profit trade association that empowers people to build successful tech careers.

Many companies are taking it a step further, selecting certain techies to also receive advanced training and pursue specialty CompTIA certifications in disciplines such as ethical hacking and penetration testing. Last Watchdog recently sat down with James Stanger, CompTIA’s Chief Technology Evangelist, to discuss how and why SMBs have finally come to see the light. Below are excerpts of our discussion edited for clarity and length:

LW: What are the drivers behind SMBs finally ‘getting’ security?

Stanger: It’s two things. First, companies are more reliant on digital systems than ever before. Frankly, a lot of companies got away with using analogue processes for years, and now they’re finally having to adopt the cloud and the Internet of Things. Secondly, businesses with 10 to 250 people generally have felt for a long time that they weren’t big enough to attack. That’s just not the case anymore. …more

Q&A: Reddit breach shows use of ‘SMS 2FA’ won’t stop privileged access pillaging

By Byron V. Acohido

The recent hack of social media giant Reddit underscores the reality that all too many organizations — even high-visibility ones that ought to know better —  are failing to adequately lock down their privileged accounts.

Related: 6 best practices for cloud computing

An excerpt from Reddit’s mea culpa says it all:  “On June 19, we learned that between June 14 and June 18, an attacker compromised a few of our employees’ accounts with our cloud and source code hosting providers. Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.”

It’s safe to assume that Reddit has poured a small fortune into security, including requiring employees to use SMS-delivered one-time passcodes in order to access sensitive company assets.

But here’s the rub: Reddit overlooked the fact that SMS 2FA systems are useful only up to a point. It turns out they can be subverted with just a modicum of effort. SIM card hijacking, for instance, is a scam in which a threat actor persuades the phone company to divert data to a new address. And then there’s SS7 hacking, which leverages known flaws in the global SMS infrastructure to intercept data in transit — including passcodes.

In fact, SMS attacks are being refined and improved daily. This is because they are useful in targeting big companies. This summer alone, in the wake of the Reddit hack, British mobile phone retailer Carphone Warehouse, ticketing giant Ticketmaster, telecom company T-Mobile and British Airways disclosed huge data compromises of similar scale and methodology. …more

Q&A: The troubling implications of normalizing encryption backdoors — for government use

By Byron V. Acohido

Should law enforcement and military officials have access to a digital backdoor enabling them to bypass any and all types of encryption that exist today?

We know how Vladmir Putin, Xi Jinping and Kim Jung-un  would answer: “Of course!”

Related: Nation-state hacks suggest cyber war is underway

The disturbing thing is that in North America and Europe more and more arguments are being raised in support of creating and maintaining encryption backdoors for government use. Advocates claim such access is needed to strengthen national security and hinder terrorism.

But now a contingent of technology industry leaders has begun pushing back. These technologists are in in full agreement with privacy and civil rights advocates who argue that this is a terrible idea

They assert that the risk of encryption backdoors ultimately being used by criminals, or worse than that, by a dictator to support a totalitarian regime, far outweighs any incremental security benefits. I had an invigorating discussion with Jeff Hudson, CEO of Venafi, about this at Black Hat USA 2018.

Venafi is the leading provider of machine identity protection. Machine to machine connection and communication needs to be authenticated  to access systems, so this technology is where the rubber meets the road, with respect to this debate. For a full drill down, please listen to the accompanying podcast. Here are excerpts edited for clarity and space:

LW: What’s wrong with granting governments the ability to break encryption?

Venafi: It has been established over a long period of time that the minute you put a backdoor in, and you think it’s secure, it almost immediately will fall into the wrong hands. Because it’s there, the bad guys will get to it. This makes backdoors the worst possible things for security.

The government wants to be able to surveil network traffic and They want  backdoors so they can see everything. If they can see all the traffic all the time, they can just sit back and surveil everything. …more

Q&A: How emulating attacks in a live environment can more pervasively protect complex networks

By Byron V. Acohido

Most large enterprises today can point to multi-millions of dollars expended over the past two decades erecting “layered defenses” to protect their digital systems.

Yet catastrophic network breaches continue apace. Turns out there’s a downside to “defense in depth.”

Related: Obsolecense creeps into legacy systems

There’s no doubt that monitoring and continually updating all parts of a multi-tiered security system is a must-do best practice. But it has also become a delicate balancing act. Tweaking one system can open fresh, unforeseen security holes in another.

Spirent Communications, an 82-year-old British supplier of network performance testing equipment, recently decided to branch into cybersecurity services by tackling this dilemma head on.

Spirent pivoted into security testing two years ago with the launch of its CyberFlood security and application performance testing platform. And at Black Hat USA 2018, the company unveiled a new CyberFlood functionality that makes it possible for an enterprise to emulate a real-world attack in a live environment.

Spirent refers to this as “data breach emulation,’’ something David DeSanto, Spirent’s threat research director, told me is designed to give companies a great advantage; it makes it possible to see precisely how the latest ransomware or crypto mining malware would impact a specific network, with all of its quirky complexity.

Here are excerpts of our full conversation, edited for clarity and length:

LW: How did Spirent come to pivot from network performance testing to security?

DeSanto: When you think about it, security and performance are usually hooked at the hip. For our customers it often comes down to having to make a decision, ‘Do I want the performance or do I want the security?’ . . . …more

Q&A: How your typing and screen swiping nuances can verify your identity

By Byron V. Acohido

The recent data breaches at Timehop and Macy’s are the latest harbingers of what’s in store for companies that fail to vigorously guard access to all of their mission-critical systems.

Related podcast: Why identities are the new firewall

A common thread to just about every deep network breach these days is the failure of the victimized entity to effectively deploy multi-factor authentication (MFA) to at least make it harder for threat actors to access their sensitive systems.

Compromised accounts came into play in data breaches of Uber, Tesla, Gemalto, Aviva, Equifax and many others. Threat actors are authenticating themselves at numerous junctures in order to gain deep access and deliver malicious payloads without being detected.

And with “digital transformation” accelerating, there are so many more weakly-secured login accounts just waiting to be maliciously manipulated.

Generally speaking, companies have yet to fully address authentication weaknesses, with respect to their legacy on-premises systems. And yet they doubling down on public cloud services, as well as increasing their dependence on an entire new solar system of  software “microservices” and  “containers” that come and go.

The vast majority of these new, interconnected components and layers that make up digital transformation require login accounts, which translates into a fresh galaxy of attack vectors.

The good news is that this is a solvable problem. The Identity Access Management (IAM) space is one of the more mature subsectors of the cybersecurity industry. And IAM vendors are innovating like crazy. They are bringing data-analytics, machine-learning and behavioral biometrics to bear, to help companies more effectively manage account authentication, without slowing down digital transformation.

For instance, IAM supplier Optimal IdM recently  announced that it is partnering with TypingDNA to add “typing behavior analysis” as an added feature to its core MFA services. I asked Chris Curcio, vice-president of channel sales at Optimal IdM to set the wider context. Here are excerpts of the interview, edited for clarity and length. …more

Q&A: Crypto jackers redirect illicit mining ops to bigger targets — company servers

By Byron V. Acohido

Illicit crypto mining is advancing apace.

It was easy to see this coming. It began when threat actors began stealthily embedding crypto mining functionality into the web browsers of unwitting individuals. Cryptojacking was born. And now, the next-level shift is underway.

Related article: Illicit crypto mining hits cloud services

Cybercriminals have shifted their focus to burrowing onto company servers and then redirecting those corporate computing resources to crypto mining chores. They are doing this using both tried-and-true, as well as leading-edge, hacking techniques.

I recently unwrapped these developments in a discussion with Liviu Arsene, senior security analyst at Bitdefender, which has been closely monitoring this trend. One key bit of intelligence Bitdefender shares in a whitepaper is a breakdown of how EternalBlue has come into play, once again.

You may recall EternalBlue was one of the cyber weapons stolen from the NSA and used in the milestone WannaCry ransomware attack in the spring of 2017. WannaCry used EternalBlue to deploy a self-spreading worm to help rapidly spread a globe-spanning ransomware campaign. It also used PowerShell and Windows Management Instrumentation script to infect the victim, followed by Mimikatz to pull logins and passwords from a computer’s memory in order to move laterally across the infrastructure.

And now in 2018 EternalBlue is propagating a very similar worm, dubbed WannaMine, that has been seeking company servers to infect – and redirect to crypto mining chores – in 150 countries.

This is part of a rising number of advanced attacks designed to penetrate data centers of private and public cloud infrastructures which have the computing resources coveted by crypto miners.

The criminals aren’t asking for any ransom. They’re just taking – or more precisely, consuming — what they want: …more

National Cybersecurity Alliance advocates ‘shared responsibility’ for securing the Internet

By Byron V. Acohido

The targeting of Sen. Claire McCaskill by Russian intelligency agency hackers, as she runs for re-election, underscores the need for each individual and organization to take online privacy and security as a core part of our everyday lives.

Related: Using ‘gamification’ for security training

The National Cyber Security Alliance is a  non-profit group, underwritten by the top tech companies and biggest banks, that has been out there since 2001 promoting best practices and supplying programs to engrain this mindset in our society.  NCSA operates the StaySafeOnline website that provides a variety of cybersecurity educational resources and programs.

I sat down with Russ Schrader, NCSA’s new executive director, who outlined the terrific resources NCSA makes available. One program, for instance, puts on workshops for Congressional staffers and other federal employees on how to recognize and avoid nation-state backed hackers looking to interfere in elections.

For a full drill down on our conversation, please listen to the accompanying podcast. Here are excerpts, edited for clarity and length:

LW: What is the National Cyber Security Alliance?

Schrader: We are a leading nonpartisan, nonprofit group that’s very involved as a convener of experts to talk about a number of the top issues in cybersecurity. We also have a lot of educational programs that reach far beyond the insular, cybersecurity expert areas.

LW: How did this organization get started?

Schrader

Schrader: The legacy is a group of CISOs from companies like Facebook, Google, Microsoft, Cisco, Oracle, Mastercard, Visa, Bank of America, Wells Fargo and a lot of others. They built a very robust  group of committed cybersecurity professionals in their own businesses. But they also realized there was a greater good in encouraging safety and security of the Internet, as it becomes more and more an important part of people’s lives.

LW: Your high-level mission, as I understand it, is generally to build the level of awareness across the board?

Schrader:  Absolutely. We have a lot of programs geared toward education at a lot of different levels. In addition to the consumer levels that we’re doing, we also work with people on the Hill,  and try to help them during this election time, or when there may be unfriendly actors trying to hack into their e-mails or hijack their social media accounts. …more